d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124

General

Target

d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe
Size

1.8MB
MD5

14e426e40efb41c9ee647ff8eeb8d3f8
SHA1

be7f2bd1b71af40cfb29320c843ef272701f1b67
SHA256

d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124
SHA512

9210b53bea9e2ff975aa8ee3ed2eb79234a9fba68dade923950b0b8ed6ed1a2976f6d9e6b5aec39132be823ff980177949311e1ebab9529e7d5d56512b502884

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp7za.exe

pid process

692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
2824 7za.exe
Loads dropped DLL 1 IoCs

Processes:

d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp

pid process

692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\idp.dll	js

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3020 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2520 taskkill.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3020	schtasks.exe

pid	process
2520	taskkill.exe

description	flow	ioc
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp

pid	process
692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exe7za.exe

description	pid	process
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeRestorePrivilege	2824	7za.exe
Token: 35	2824	7za.exe
Token: SeSecurityPrivilege	2824	7za.exe
Token: SeSecurityPrivilege	2824	7za.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp

pid process

692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exed92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp

description	pid	process	target process
PID 980 wrote to memory of 692	980	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
PID 980 wrote to memory of 692	980	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
PID 980 wrote to memory of 692	980	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
PID 692 wrote to memory of 2520	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	taskkill.exe
PID 692 wrote to memory of 2520	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	taskkill.exe
PID 692 wrote to memory of 2520	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	taskkill.exe
PID 692 wrote to memory of 2696	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	cscript.exe
PID 692 wrote to memory of 2696	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	cscript.exe
PID 692 wrote to memory of 3020	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	schtasks.exe
PID 692 wrote to memory of 3020	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	schtasks.exe
PID 692 wrote to memory of 3020	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	schtasks.exe
PID 692 wrote to memory of 2824	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	7za.exe
PID 692 wrote to memory of 2824	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	7za.exe
PID 692 wrote to memory of 2824	692	d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp	7za.exe

C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe
"C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Users\Admin\AppData\Local\Temp\is-GE9QH.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GE9QH.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp" /SL5="$20120,1194311,780288,C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /im Vkotnakate_DJ.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\cscript.exe
"cscript.exe" C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\info.js
3⤵
PID:2696

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN VKDJ /SC ONLOGON /TR "C:\ProgramData\VkontakateDJ\Vkotnakate_DJ.exe /H" /F /DELAY 0001:00 /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3020

C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\7za.exe
"C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\5.10.zip" -pvkd -y -oC:\ProgramData\VkontakateDJ
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\5.10.zip
MD5
88461ea87a1eb08ea2728b980c410b21

SHA1
34a7775822195afdbb5ae79e220d0b6a84508318

SHA256
28e04228aef6e577cb5f545579fa8d509cb3fdd6ab2f9ec308e4f2f2e49434e5

SHA512
f06e4cb9f05eeb1c8add6b715fb5c105ab4166625c1ac6747477e2874b7d554de82afc574b2bf3a4202d621f8fb9888607a2dd7e05c3eaf39f67a168cfc2a6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\7za.exe
MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\info.js
MD5
ead0bf6ff4e3446ac39427cb3dffdc6e

SHA1
037444fdb1c81c804034959980738a049bbbbcf7

SHA256
d96634e77d01f0790758c72a76fd17ae1dcbafd719121fd0942826de2a5d1186

SHA512
31dc3c2c38358f6e049a77c49b98f675562f172219df3cf62a6815af30af5f6a8188d3d49a328ce2af09e3c8438ccdc1bae0dd25e838494b7a09830e6eff337c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GE9QH.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
MD5
ac2adb4621cccacbafc3f06e2b29016c

SHA1
f9273150e00ae8513cbf741a67e4828e7c60f035

SHA256
1fdc97cf3fb4e31d15ea487ca3974b18cda979418f57c7b827f3c7275184ef3e

SHA512
f754b04e318786496444539023cdd143dc0990d27561a7afd2041830ba46cadec42cd159ec516ed1f478894f53f40dbda87954b2ee06ea2ddc2276419396c800

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GE9QH.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp
MD5
ac2adb4621cccacbafc3f06e2b29016c

SHA1
f9273150e00ae8513cbf741a67e4828e7c60f035

SHA256
1fdc97cf3fb4e31d15ea487ca3974b18cda979418f57c7b827f3c7275184ef3e

SHA512
f754b04e318786496444539023cdd143dc0990d27561a7afd2041830ba46cadec42cd159ec516ed1f478894f53f40dbda87954b2ee06ea2ddc2276419396c800

Download Submit
\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\idp.dll
MD5
55c310c0319260d798757557ab3bf636

SHA1
0892eb7ed31d8bb20a56c6835990749011a2d8de

SHA256
54e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed

SHA512
e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57

Download Submit
memory/692-0-0x0000000000000000-mapping.dmp

Download
memory/2520-3-0x0000000000000000-mapping.dmp

Download
memory/2696-5-0x0000000000000000-mapping.dmp

Download
memory/2824-8-0x0000000000000000-mapping.dmp

Download
memory/3020-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads